WIP: fix import-gitea-users script

kommode/gitea: fix declarative secrets
2025-08-14 20:41:15 +02:00 · 2025-08-03 04:44:37 +02:00
3 changed files with 12 additions and 5 deletions
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -51,11 +51,11 @@ in {
        START_SSH_SERVER = true;
        START_LFS_SERVER = true;
        LFS_JWT_SECRET = lib.mkForce "";
-        LFS_JWT_SECRET_URI = config.sops.secrets."gitea/lfs-jwt-secret".path;
+        LFS_JWT_SECRET_URI = "file:${config.sops.secrets."gitea/lfs-jwt-secret".path}";
      };
      oauth2 = {
        JWT_SECRET = lib.mkForce "";
-        JWT_SECRET_URI = config.sops.secrets."gitea/oauth2-jwt-secret".path;
+        JWT_SECRET_URI = "file:${config.sops.secrets."gitea/oauth2-jwt-secret".path}";
      };
      "git.timeout" = {
        MIGRATE = 3600;
@@ -85,7 +85,7 @@ in {
      session.COOKIE_SECURE = true;
      security = {
        SECRET_KEY = lib.mkForce "";
-        SECRET_KEY_PATH = config.sops.secrets."gitea/secret-key".path;
+        SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
      };
      database.LOG_SQL = false;
      repository = {
--- a/hosts/kommode/services/gitea/import-users/default.nix
+++ b/hosts/kommode/services/gitea/import-users/default.nix
@@ -11,7 +11,8 @@ in
  systemd.services.gitea-import-users = lib.mkIf cfg.enable {
    enable = true;
-    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
+    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
    environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
    serviceConfig = {
      ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
        flakeIgnore = [
@@ -25,6 +26,7 @@ in
      ];
      DynamicUser="yes";
      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
      RuntimeDirectory = "gitea-import-users";
    };
  };
--- a/hosts/kommode/services/gitea/import-users/gitea-import-users.py
+++ b/hosts/kommode/services/gitea/import-users/gitea-import-users.py
@@ -17,6 +17,10 @@ GITEA_API_URL = os.getenv('GITEA_API_URL')
 if GITEA_API_URL is None:
    GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
 PASSWD_FILE_PATH = os.getenv('PASSWD_FILE_PATH')
 if PASSWD_FILE_PATH is None:
    PASSWD_FILE_PATH = '/tmp/passwd-import'
 def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
    r = requests.get(
@@ -187,7 +191,8 @@ def main():
    if existing_users is None:
        exit(1)
-    for username, name in passwd_file_parser("/tmp/passwd-import"):
+    print(f"Reading passwd entries from {PASSWD_FILE_PATH}")
    for username, name in passwd_file_parser(PASSWD_FILE_PATH):
        print(f"Processing {username}")
        add_or_patch_gitea_user(username, name, existing_users)
        for org, team_name in COMMON_USER_TEAMS:
Author	SHA1	Message	Date
h7x4	d44699e9f8	WIP: fix import-gitea-users script Some checks failed Eval nix flake / evals (push) Failing after 27s Details	2025-08-14 20:41:15 +02:00
h7x4	2010556643	kommode/gitea: fix declarative secrets Some checks failed Eval nix flake / evals (push) Failing after 29s Details	2025-08-03 04:44:37 +02:00